F5

To configure your F5 firewall and integrate it with the Glasswall Halo ICAP server, please follow this configuration guide.

Note: these steps are documented as per F5 version BIG-IP 17.1.1.3 Build 0.0.5 Point Release 3.

Configure Interfaces and Routes

• Before configuring the Interfaces, ensure you can see 3 Interfaces under Network -> Interfaces -> Interface List.
  • Note: this shows the data plane Interfaces and does not include management interface.
• The names of the Interfaces will be 1.1, 1.2, 1.3.
• Based on the MAC address of each Interface by comparing it with the MAC address on the Interfaces attached to the firewall VM, note down which subnets each Interface belongs to.
• In the Dev environment:
  • 1.1 belongs to inside subnet
  • 1.2 belongs to outside subnet
  • 1.3 belongs to icap subnet.

1 - Configure Management IP address

Typically the first interface attached to the firewall is configured as the management interface. If for any reason the management UI is running on a different interface (IP address), follow these steps to change the Management IP address.

1. Login to the F5 Admin Portal.
2. Navigate to System -> Platform.
3. Under the Host IP Address drop-down, select Custom Host IP Address and enter the new IP.

2 - Configure inside interface

1. Navigate to Network -> VLANs -> VLANs List and click Create.
2. Enter the name as inside-vlan.
3. Select the inside interface from the drop-down and click Add.
   Note: the interface names will be 1.1, 1.2 and 1.3. In the previous step, the sub-net to which the interface belongs to, based on the MAC Address is noted down.
4. Click Finished.
5. Navigate to Network -> Self IPs and click Create.
6. Enter the name as inside-ip, and enter the IP Address and Netmask of the inside interface.
7. Select the inside-vlan from the VLAN drop-down and click Finished.

3 - Configure outside interface

1. Navigate to Network -> VLANs -> VLANs List and click Create.
2. Enter the name as outside-vlan.
3. Select the outside interface from the drop-down and click Add.
4. Click Finished.
5. Navigate to Network -> Self IPs and click Create.
6. Enter the name as inside-ip, and enter the IP Address and Netmask of the outside interface.
7. Select the outside-vlan from the VLAN drop-down and click Finished.

4 - Configure ICAP interface

1. Navigate to Network -> VLANs -> VLANs List and click Create.
2. Enter the name as icap-vlan.
3. Select the ICAP interface from the drop-down and click Add.
4. Click Finished.
5. Navigate to Network -> Self IPs and click Create.
6. Enter the name as icap-ip, and enter the IP Address and Netmask of the icap interface.
7. Select the icap-vlan from the VLAN drop-down and click Finished.

ICAP Integration

1 - Create ICAP Pool.

The ICAP pool represents a pool of ICAP servers.

1. Navigate to Local Traffic -> Pools and click Create.
2. Enter an appropriate name and description; e.g. Name - dev-aks-icap-pool, Description - ICAP Pool for Dev AKS env.
3. Under Health Monitors, select tcp from the Available column and move it to the Active column.
4. Enter an appropriate Node Name. e.g. dev-aks-icap-node.
5. Enter the IP address of ICAP server, Service Port as 1344 and click Add.
6. Click Finished to save the configuration. If the health checks are successful, the status will appear in green, otherwise red.

2 -Create HTTP Pool

The HTTP pool represents a pool of web servers that needs to be protected by the F5.

1. Navigate to Local Traffic -> Pools and click Create.
2. Enter an appropriate name and description. e.g. Name - dev-http-pool, Description - Onboarding web app dev.
3. Under Health Monitors, select http from the Available column and move it to the Active column.
4. Enter an appropriate Node Name. e.g. dev-onboarding-app-node1.
5. Enter the IP address and port of the web server, and click Add.
6. Click Finished to save the configuration. If the health checks are successful, the status will appear green, otherwise red.

3 - Create ICAP profile

ICAP profile is used to send the traffic from http virtual server to ICAP server to CDR the content. In this scenario as we want to process the files uploaded to web server, we need to use Request modification service in the ICAP.

1. Navigate to Local Traffic -> Profiles -> Services -> ICAP and click Create.
2. Enter an appropriate name. e.g. dev-icap-req-mod.
3. Select icap as the Parent Profile.
4. Select the Custom box in Settings and enter icap://${SERVER_IP}:${SERVER_PORT}/req-cdr-service?profile=default in the URL. You can use a custom ICAP profile if needed.
5. Complete the other fields as required and click Finished.

4 - Create HTTP profile

A custom HTTP profile can be used to modify the HTTP traffic of the web server.

1. Navigate to Local Traffic -> Profiles -> Services -> HTTP and click Create.
2. Enter an appropriate name. e.g. dev-http-profile.
3. Select http as the Parent Profile.
4. Select the Custom box on the Settings and customise the settings as required.
5. Click Finished to save the profile.

5 - Create ICAP internal virtual server

An internal virtual server is a special type of virtual server used to send the traffic to ICAP server. The ICAP virtual server sits in front of the ICAP pool.

1. Navigate to Local Traffic -> Virtual Servers -> Virtual Servers List and Create.
2. Enter an appropriate name and description. e.g. dev-icap-vs.
3. Select Type as Internal and enter 0.0.0.0/0 as the source address.
4. Select Advanced configuration and under ICAP Profile, select the ICAP profile created in Step 3.
5. Under Default Pool, select the ICAP pool created in Step 1.
6. Click Finished to save the virtual server.

6 - Create Request Adapt profile

1. Navigate to Local Traffic -> Profiles -> Services -> Request Adapt and click Create.
2. Enter an appropriate name. e.g. dev-icap-req-adapt.
3. Under the Parent profile, select requestadapt.
4. Select the Custom box in Settings, and select the internal ICAP virtual server created in Step 6 in the Internal Virtual Name drop-down.
5. Select the service down action as needed. This represents what action will be taken when the ICAP server is down.
   1. Drop: To drop the traffic at the http virtual server.
   2. Reset: Resets the connection on the client side.
   3. Ignore: Sends the original traffic to the web server.
6. Click Finished to save the request adapt profile.

7 - Create HTTP virtual server

A HTTP virtual server sits in front of HTTP pool and provides a virtual IP address that can be used by the users to access the protected web server.

1. Navigate to Local Traffic -> Virtual Servers -> Virtual Servers List and click Create.
2. Enter an appropriate name. e.g. dev-onboarding-http-vs.
3. Enter 0.0.0.0/0 in the Source Address.
4. Choose an IP address for the HTTP virtual server that does not conflict with any other address space and enter it as the destination address.
5. Enter the web server port as the Server Port.
6. Select Advanced configuration and select HTTP profile created in Step 4 under HTTP Profile(Client).
7. Select the request adapt profile created in Step 6 under Request Adapt Profile.
8. Select Auto Map under the Source Address Translation drop-down.
9. Select the HTTP pool under Default Pool and click Finished.